Threat Lab Exclusive: If Your Copier / Scanner Calls, Don’t Answer!

October 3, 2017 | By Comodo

UPDATE AND CORRECTION: Konica Minolta C224e is not sending you dangerous phishing emails. Malicious hackers have created an email and file designed to look like a legitimate scanned document from a Konica Minolta C224e, however, the file does not come from a Konica Minolta C224e and does not contain a scanned document. You’ll want to verify the source of the email.

The latest exclusive is the Lab’s discovery of a late September wave of new ransomware phishing attacks, building on attacks first discovered by the Comodo Threat Intelligence Lab this summer. This newest campaign mimics your organization’s vendors and even your trusty office copier/scanner/printer from industry leader Konica Minolta. It uses social engineering to engage victims and is carefully designed to slip past machine learning algorithm-based tools from leading cybersecurity vendors, infect your machines, encrypt their data, and extract a bitcoin ransom. Here is the ransom demand screen seen by victims in the September 18-21, 2017 attacks:

This new wave of ransomware attacks uses a botnet of zombie computers (usually connected to network through well-known ISPs) to coordinate a phishing attack which sends the emails to victim accounts. As with the IKARUSdilapidated attacks in early and late August 2017 respectively, this campaign utilizes a “Locky” ransomware payload.

The larger of the two attacks in this latest Locky ransomware wave is presented as a scanned document emailed to you from your organization’s scanner/printer (but is actually from an outside hacker-controller machine). Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless (and most definitely is not from your organization’s Konica Minolta copier/scanner). How harmless? See the below email.

One element of the sophistication here is that the hacker-sent email includes the scanner/printer model number that belongs to the Konica Minolta C224e, one of the most popular models among business scanner/printers, commonly used in European, South American, North American, Asian and other global markets.

Both campaigns started on September 18, 2017 and appear to have effectively ended on September 21, 2017 but we should all expect similar attacks in the near future.
The encrypted documents in both new September attacks have a “.ykcol” extension and the “.vbs” files are distributed via email. This shows that malware authors are developing and changing methods to reach more users and bypass security approaches which use machine learning and pattern recognition.
Here is a heat map of the first new attack on September 18, 2017, featuring the “Message from KM_C224e” subject line followed by the source countries of the machines used in the botnet to send the emails:

Country

Sum – Count Of Emails

Vietnam

26,985

Mexico

14,793

India

6,190

Indonesia

4,154

ISPs in general were co-opted heavily in this attack which points to both the sophistication of the attack and inadequate cyber-defense at their endpoints and with their own network and website security solutions. As with the August attacks, many servers and devices in Vietnam and Mexico were utilized to execute the global attacks. Here are the leading range owners detected in the “Message from KM_C224e” attack:

Range Owner

Sum – Count Of Emails

Vietnam Posts and elecommunications(VNPT)

18,824

VDC

4,288

Lusacell

3,558

Cablemas Telecomunicaciones SA de CV

2,697

Turk Telekom

2,618

Cablevision S.A de.C.V

2,207

The smaller of the 2 prongs in this September campaign sends phishing emails with the subject, “Status of invoice” and appears to be from a local vendor, even including a greeting of “Hello,” a polite request to view the attachment, and a signature and contact details from a fictitious vendor employee. Again, notice how familiar the email looks to

anyone involved with finance or working with any outside vendors:

When the attachment is clicked it appears as a compressed file to be unpacked:

Here you can see a sample of the scripting, which is quite different than that used in the attacks earlier in August 2017.

The ransom demand range of .5 bitcoins to 1 bitcoin in both new cases mirrors that of the August attacks. On September 18th, 2017 the value of 1 bitcoin equaled just over $4000.00 US Dollars (and 3467.00 Euros).

For the September 18, 2017 attack featuring the “Status of invoice” subject line, the Americas, Europe, India and Southeast Asia were impacted heavily, but Africa, Australia and many, islands were also hit by these attacks.

The phishing and Trojan experts from the Comodo Threat Intelligence Lab (part of Comodo Threat Research Labs) detected and analyzed more than 110,000 instances of phishing emails at Comodo-protected endpoints within just the first three days of this September 2017 campaign.

The attachments were read at Comodo-protected endpoints as “unknown files,” put into containment, and denied entry until they were analyzed by Comodo’s technology and, in this case, the lab’s human experts.

The Lab’s analysis of emails sent in the “Message from KM_C224e” phishing campaign revealed this attack data: 19,886 different IP addresses being used from 139 different country code top-level domains.

The “Status of invoice” attack utilized 12,367 different IP addresses from 142 country code domains. There are a total of 255 top level country code domains maintained by the Internet Assigned Numbers Authority (IANA), meaning both of these new attacks targeted over half of the nation states on earth.

“These types of attacks utilize both botnets of servers and individuals’ PCs and new phishing techniques using social engineering for unsuspecting office workers and managers. This enables a very small team of hackers to infiltrate thousands of organizations and beat A.I. and machine learning-dependent endpoint protection tools, even those leading in Gartner’s recent Magic Quadrant.” said Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL). “Because the new ransomware appears as an unknown file, it takes a 100% ‘default deny’ security posture to block or contain it at the endpoint or network boundary; it also requires human eyes and analysis to ultimately determine what it is- in this case, new ransomware.”
Want a deeper dive into the attack data? Check the new Comodo Threat Intelligence Lab’s “SPECIAL REPORT: SEPTEMBER 2017 – RANSOMWARE PHISHING ATTACKS LURE EMPLOYEES, BEAT MACHINE LEARNING TOOLS (Part III of the Evolving IKARUSdilapidated and Locky Ransomware Series).” The Special Report is one of many included with a free subscription to Lab Updates at https://comodo.com/lab. It provides in-depth coverage of the September 18-21, 2017 wave of attacks, with more analysis and with appendices that include more detail on the sources and machines used in the attacks. Your Lab Updates subscription also includes Parts I and II of the “Special Report: IKARUSdilapidated Locky Ransomware” series and also provides you with the Lab’s “Weekly Update” and “Special Update” videos. Subscribe today at comodo.com/lab.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now